\section{Introduction}
Implicit in the capture and movement of medical information is the need to guarantee that proper privacy \& security policies are applied to every single information exchange transaction.  Additionally, any such information exchange needs to be governed by individual consent, empowering the individuals to dictate as how their private medical information can be safeguarded.  Modern electronic medical information systems collect large amounts of patient information to enhance the quality of care provided to the patients.  Although desirable, this has a tremendous potential for abuse, where the private information can be shared, disclosed and used for many other purposes.  

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) \footnote{\url{http://www.priv.gc.ca/information/guide_e.cfm}}
highlights the pervasive nature of electronic personal information in modern society. It directs our attention to the risks of private information exposure and the challenges of enforced disclosure of personal information, in a manner that recognizes an individual's right to privacy. The Ontario Personal Health Information Protection Act (PHIPA 04) further reflects the critical importance of individual consent for health information systems.

Often individual consent is solicited and additional privacy and security policies are put in place to limit the risks to an individual's privacy. However, when it comes to electronic information, these legislative preventive measures have proven to be inadequate, as they are reactive in nature. That is to say that policies alone are not sufficient. A {\bf preventative technical} solution is urgently required that can enforce individual consent and other required policies for all electronic medical information consent.

Solving the consent challenge is a difficult task considering that consent is a multi-dimensional problem.  From a technical perspective modelling electronic consent requires creating a model that can:
\begin{itemize}
\item Clearly capture individual consent without ambiguity.  That is to say that the consent model should be provide a consistent interpreted to all system/parties.  Or in other words, a consent policy should be semantically equivalent across all systems.
\item Allow sharing of consent information across diverse information systems. It would be naive to assume that a consent policy is system specific.  In fact patient information is usually fragmented over many different heterogeneous medical information systems. Therefore, a consent policy should not tied to a specific system implementation.
\item Enable an individual to describe different consent preferences for different systems.  The notion of a patient expressing a single global consent policy is not practical.  Given the fact that a patient would potentially interact with many different systems for different services, a consent model should be flexible enough to allow patients to express scenario specific consent rules.
\item Allows for knowledge inference. For example, a previously defined consent policy should allow for decision making in the presence of a new situation.
\item Easy to incorporate into existing enforcement mechanisms (such as access control).
\end{itemize}

In this work, we present a framework to address the consent management challenges listed above.  Following are some of the desired features of our framework.

\begin{itemize}
\item Create a {\bf patient consent model} that {\bf allows for a rich expression} of individual consent in the healthcare setting, with a long-term goal of extending the consent model to other areas of information technology.

\item Create a consent centric {\bf access-control protocol} that can be deployed across heterogeneous information technology domains for consent enforcement. One of the key contributions will be to design a framework that can reason with consent information, and automatically enforce it under different new contexts/scenarios.

\item Provide the ability to {\bf audit and verify} all system-level access control decisions.  This will ensure that all system activity can be completely tracked and all system decisions can be verified for correctness.
\end{itemize}

\subsection {Motivational Example}

In order to provide motivation for our work, consider the following
example. Let us assume that a patient John is primarily treated
by Dr. Smith at the Toronto General Hospital (TGH). During his vacation
in Calgary, John was admitted to Calgary General Hospital (CGH) for 
emergency treatment. John is now being treated by Dr. Jane who
requires access to John's past medical history, in order to properly
diagnose and treat John. Dr. Jane requests access to John's medical
records from TGH. For the purpose of illustration, lets us further
assume that John's medical records are protected by his consent policy
and the TGH institutional privacy and security policies. Please refer
to Figure ~\ref{fig:MotivationalExample}.

The goal of our system is to allow Dr. Jane to be able to retrieve
the required patient medical information (for John) from TGH, while
still honouring all of the established privacy and security policies
put in place by the institution and John's consent policy.


\begin{figure}[t]
\begin{centering}
\includegraphics[scale=0.25]{images/mitivational-example} 
\caption{A motivational example: John's EMR is protected by his consent and
TGH's privacy \& security policies. When Dr. Jane at CGH requests
access to these documents, they are shared under the same protection
that was offered by TGH. Furthermore, CGH may apply their own privacy
and security policies in addition to the existing ones.}
\par\end{centering}
\label{fig:MotivationalExample} 
\end{figure}





